dst-nat rule

rpingar · May 28, 2004, 4:08pm

we have a MT box doing NAT between the public addresses (62.94.214.xx/28) and the privates 10.0.0.xxx/24

we have a web server running on the 10.0.0.248. To reach from the internet this server I have done a dst-rule to translate the 62.94.214.y to 10.0.0.248

Giving the fact we run our corporate web on this server and that most of our customer have private ip I’d like to reach from inside the inside the server calling it at 62.94.214.y and not 10.0.0.248

The dst-nat rule dosen’t work from inside. When I call the public ip from inside the counter of teh rule works but nothing happen.

May someone more expert then me give an advice??

thanks

HarvSki · May 28, 2004, 4:39pm

one way to do this is to set up a static DNS A record for the private address in the DNS that serves your private address clients, this is only any good if that DNS server is not the authortive DNS for the domain.

rpingar · May 28, 2004, 4:44pm

is there another way?
because I need to find a solution that don’t guide me to have a more complex situation. another dns server…

thanks

rpingar · May 28, 2004, 4:58pm

solved!
I added a routing rule!

YazzY · May 28, 2004, 10:02pm

You could also do the same trick with a http proxy.

jimvan · May 29, 2004, 4:04am

you can also add a static internal entry in dns of MT router and add have MT dhcp point all internal clients to router for dns. Works great here.

Cameron_Earnshaw · May 30, 2004, 5:15pm

I’d like to do this too, but have never been able to get it to work without dst-nat, which doesn’t seem to work for certain aplications such as IP phones. Can you give an example of the route you added to get it to work? Did you have to add another NIC? Thanks.

Cameron

rpingar · May 30, 2004, 5:52pm

I just added a static route to the table I used for routing the web server.

I added: to 10.0.0.0/24 use the 10.0.0.1 gateway

But you could also have the dst-nat rule to translate the 62.94.214.y/32:80 to 10.0.0.248/32:80

So I can reach the webserver from inside the network using 10.0.0.248 or 62.94.214.y

Hope this can help you.

bye

Cameron_Earnshaw · May 31, 2004, 12:03pm

OK, I guess I misunderstood what you were doing. This is just the normal way of doing dst-nat in the Mikrotik. My problem is I find certain applications don’t want to work behind nat (IP phones, for example) so I want to have actual public addresses on LAN side of my Mikrotik as well. Setting up a segmented subnet such as 12.38.222.64/26 on the LAN side of the router (while having 12.38.222.0/24 on the WAN side) doesn’t seem to work. Or am I missing something?

rpingar · May 31, 2004, 12:13pm

I did the same think and it seems to work. You should activate proxy-arp on the lan interface.

so I can route private and public IP on the lan side.

bye